Abstract: In a method and system for managing concurrent access to multiple resources, resources are assigned to sets in such a way that it is safe to concurrently access any combination of resources in a resource set. For each resource set, a virtual machine is defined and associated with the resource set. An application is assigned to a virtual machine. When an application requests access to a resource not in the application's virtual machine, access control lists are consulted to determine whether the access should be allowed, given the other resources already accessed by the application.

Abstract: A method to synchronize and upload an offloaded network stack connection between a host network stack and processing device is presented. A state object for each layer in the stack is sent to the device that includes state variables that are classified as a constant, a cached variable handled by the host, or a delegated variable handled by the device. State that must be updated by the network stack and the processing device is cleanly divided. For example, statistics are tracked by the host, the device, or the host and the device. A statistic tracked by both the host and processing device is divided into non-overlapping portions and combined to produce the statistic. Once an upload is initiated, the device achieves a consistent state and hands delegated states to the stack. Each layer in the stack takes control of its delegated state and resources at the device are freed.

Abstract: Methods are provided that allow high-level protocol drivers to cancel transmission requests that have been sent to low-level protocol drivers. Transmission requests are assigned cancel identifiers. Because one original request may be divided into several packets for transmission, the same cancel identifier is given to every packet that derives from the original request. High-level protocol drivers can request cancellation of all pending requests whose cancel identifiers match the one indicated. Cancel identifiers generated by different high-level protocol drivers are mutually distinct so one protocol driver cannot inadvertently cancel requests made by another. The protocol driver may divide its requests into logical flows and assign the same cancel identifier to all requests within one flow. Then, the protocol driver may cancel all pending requests within one flow while allowing requests in other flows to proceed to transmission.

Abstract: For a method and system for managing concurrent access to multiple resources, resources are assigned to sets in such a way that it is safe to concurrently access any combination of resources in a resource set. For each resource set, a virtual machine is defined and associated with the resource set. An application is assigned to a virtual machine. When an application requests access to a resource not in the application's virtual machine, access control lists are consulted to determine whether the access should be allowed, given the other resources already accessed by the application.

Abstract: A system and method are presented that enhance the performance of single and multiple-processor servers by taking advantage of the half-duplex nature of many HTTP requests. Upon receipt of an HTTP Get resource request, a single send and disconnect IRP is generated. The semantics of the send and disconnect IRP completion recognizes the half-duplex nature of the transaction by indicating a graceful close of the TCP/IP connection. This send and disconnect IRP is also completed without a queuing stage (queuelessly) on the processor that serviced the client request. To further enhance performance, the server FIN message to the client is included in the last data frame transmitted to the server. The invention also contemplates transmission of a single HTTP get and disconnect request by a client to allow acknowledgementless disconnection of the TCP/IP connection once a requested resource has been sent.

Abstract: A system and method are presented that enhance the performance of single and multiple-processor servers by taking advantage of the half-duplex nature of many HTTP requests. Upon receipt of an HTTP Get resource request, a single send and disconnect IRP is generated. The semantics of the send and disconnect IRP completion recognizes the half-duplex nature of the transaction by indicating a graceful close of the TCP/IP connection. This send and disconnect IRP is also completed without a queuing stage (queuelessly) on the processor that serviced the client request. To further enhance performance, the server FIN message to the client is included in the last data frame transmitted to the server. The invention also contemplates transmission of a single HTTP get and disconnect request by a client to allow acknowledgementless disconnection of the TCP/IP connection once a requested resource has been sent.

Abstract: A method to offload a network stack connection is presented. A request, which includes a list of resource requirements from each software layer in the stack, to offload the network stack connection is sent through the stack to the peripheral device. The peripheral device is a second processor that processes the offloaded network stack connection in software, in hardware, or a mixture of hardware and software. The device allocates resources for the list and sends a handle to each of the software layers for communication with the device. The state for each layer is sent to the device that includes state variables that are classified as a constant, a cached variable handled by the CPU, or a delegated variable handled by the device.

Abstract: In an exemplary device implementation, a device includes: a connection migrator that is configured to migrate connections away from the device; the connection migrator capable of precipitating a compilation of protocol state for a connection across a protocol stack; the connection migrator adapted to aggregate the compiled protocol state with data for the connection into an aggregated connection state; the connection migrator further capable of causing the aggregated connection state to be sent toward a target device. In an exemplary media implementation, processor-executable instructions direct a device to perform actions including: obtaining at least a portion of a source/destination pair from a packet; accessing an encapsulation mapping table using the at least a portion of the source/destination pair to locate an encapsulation mapping entry; extracting a flow identifier from the encapsulation mapping entry; and replacing part of the packet with the flow identifier to produce an encapsulated packet.

Abstract: A transparent gateway having increased throughput during a file transfer protocol (ftp) session is provided. This increase is enabled through generalized network address translator (gNAT) at the kernel level that is under user-mode proxy control through an application programming interface (API). Initially, the proxy commands the API to generate a dynamic port-redirect in the gNAT for all connection requests for a port twenty-one to itself at the local port to which it is bound. The proxy may then establish a session on the client's behalf with the ftp server, establish a session on the client's behalf with a different ftp server, etc. The proxy then requests that the API command an address translation in the gNAT to open an ftp data session so that data from the ftp server need not pass up to the user-mode, but may be dynamically redirected within the kernel-mode.

Abstract: An application programming interface for translation of transport-layer sessions is presented. The system includes kernel-mode support for application-controlled network address translation and user-mode implementation of the redirect API routines. An application process may request that a network gateway modify the source and/or destination of a given network session in a manner transparent to the original source host and/or the replacement destination host. With the generalized NAT (gNAT) of the instant invention and its associated API, both the source and the destination addresses of message packets may be changed. The address changes are mapped in the gNAT, and may result in apparent sessions between different clients and servers. Depending on the protocol in use (e.g. TCP or UDP), the address translation may be made dynamically by the gNAT, under the command of the application, and take place at the kernel level.

Abstract: An application programming interface (API) for an intelligent transparent gateway is provided. The API interfaces the gateway with a generalized network address translator (gNAT) at the kernel level to allow user-mode proxy control. Initially, the proxy binds to a local socket and commands the API to generate a dynamic port-redirect in the gNAT for all connection requests for a given port to itself (at the local port to which it is bound). The API also retrieves the address information of the server to which the client has attempted to connect so that a proper translation mapping may be made. The proxy may also request that the API command an address translation in the gNAT so that further messages between the client and the server need not pass up to the user-mode, but may be dynamically redirected within the kernel-mode.

Abstract: A method of payload editing in an intelligent transparent gateway is provided. Certain applications include addressing information within the data streams of their sessions. When running on clients that are sharing a connection, such applications would send private, unreachable addressing information to remote peers, and the latter would be unable to respond to the clients's requests. The system of the instant invention supports an extensible means of modifying a session's application-layer data in flight, beyond the modifications made to the session's network-layer and transport-layer addressing information. Extensibility is achieved by allowing drivers to inspect the application-layer data in each packet received for a session, and to edit the application data in each packet. These editors register themselves with the gNAT of the instant invention as handlers for a specific TCP/UDP port number, and are henceforth invoked for each message translated in matching sessions.

Abstract: A port reservation API for an intelligent transparent gateway is provided. The API creates one or more port pools that contain port numbers reserved from the gateway's TCP and UDP port numbers. The API then allows the proxy to reserve and release port numbers from the created pools. The API may create and destroy a port reservation, and acquire and release a port number. The creation of a port reservation returns a handle to the network application that can be used for requesting port numbers. The destroying of a port reservation destroys a handle supplied by the previous operation, returning all outstanding port numbers to the network gateway. The acquiring of a port number from a reservation requests one or more port numbers from the network gateway. Finally, the releasing of a port number to a reservation returns one or more previously acquired port numbers to the network gateway.

Abstract: An application programming interface for translation of transport-layer sessions is presented. The system includes kernel-mode support for application-controlled network address translation and user-mode implementation of the redirect API routines. In this way, an application process may request that a network gateway modify the source and/or destination of a given network session in a manner transparent to the original source host and/or the replacement destination host. The ability to perform arbitrary redirection on network sessions under application control allows the establishment of fast path sessions, server load balancing, etc. With the generalized NAT (gNAT) of the instant invention and its associated API, both the source and the destination addresses of message packets may be changed. The address changes are mapped in the gNAT, and may result in apparent sessions between different clients and servers. Depending on the protocol in use (e.g.

Abstract: A method and system for mapping security parameters to a plurality of network sessions is provided. A responding computer maps the security parameters to the combination of packet parameters and a mapped port value used in each of the plurality of sessions. The packet parameters includes IP source and destination addresses, application source and destination ports and protocol type. The mapped port value is assigned by the responding computer to maintain a unique mapping between each security associations and each network session.

Abstract: An intelligent transparent gateway is provided having the advantages of both a proxy and a network address translator, without the necessity of client application compatibility with a proxy. The intelligent transparent gateway is facilitated by a generalized network address translator (gNAT) at the kernel level that is under user-mode proxy control through a proxy application programming interface (API). Initially, the proxy binds to a local socket and commands the API to generate a dynamic port-redirect in the gNAT for all connection requests for a given port to itself (at the local port to which it is bound). The proxy also commands the API to retrieve the address information of the server to which the client has attempted to connect so that a proper translation mapping may be made. The proxy may then service the request itself, establish a session on the client's behalf with the requested server, establish a session on the client's behalf with a different server, etc.

Abstract: A method to synchronize and upload an offloaded network stack connection between a host network stack and peripheral device is presented. A state object for each layer in the stack is sent to the device that includes state variables that are classified as a constant, a cached variable handled by the host, or a delegated variable handled by the device. State that must be updated by the network stack and the peripheral device is cleanly divided. For example, statistics are tracked by the host, the device, or the host and the device. A statistic tracked by both the host and peripheral device is divided into non-overlapping portions and combined to produce the statistic. Once an upload is initiated, the device achieves a consistent state and hands delegated states to the stack. Each layer in the stack takes control of its delegated state and resources at the device are freed.

Abstract: A method to offload a network stack connection is presented. A request, which includes a list of resource requirements from each software layer in the stack, to offload the network stack connection is sent through the stack to the peripheral device. The device allocates resources for the list and sends a handle to each of the software layers for communication with the device. The state for each layer is sent to the device that includes state variables that are classified as a constant, a cached variable handled by the CPU, or a delegated variable handled by the device.

Abstract: A new communications connection timer management framework for handling network communications protocol timers is disclosed. The timer management framework separates transmission control blocks (TCBs) having scheduled actions from the set of all TCBs maintained by a server. The TCBs having scheduled actions are referenced by a time-space partitioned data structure having time-slots corresponding to a current protocol timer “tick” value. The active TCBs are placed within particular ones of the time-space partitions based upon their expiration times. During each timer check sequence (e.g., once every 100 millisecond timer tick for TCP protocol timers), the timer management framework accesses a partition associated with a current timer value and checks the TCBs referenced within the current partition.

Abstract: The present invention is directed to a method and system for managing concurrent access to multiple resources. Resources are assigned to sets in such a way that it is safe to concurrently access any combination of resources in a resource set. For each resource set, a virtual machine is defined and associated with the resource set. An application is assigned to a virtual machine. When an application requests access to a resource not in the application's virtual machine, access control lists are consulted to determine whether the access should be allowed, given the other resources already accessed by the application.